Snort mailing list archives
R: no documentation about some rules
From: "Maurizio Di Pietro \(Esterna\)" <m.dipietro () resi it>
Date: Fri, 29 Aug 2014 11:21:12 +0200
I speak about this documentation <https://www.snort.org/rule_docs> https://www.snort.org/rule_docs And community documentation, the tar opensoource.tar.gz. A set of txt file, one for event. I looking for on virustotal also, for example the event 23493 (Win.trojan.zeroAccess) but Id like understand why the rule searches the 4 bytes (28,94,8d,ab) from fifth to eighth byte I didnt understand the rule. Does the malware contact the C&C by UDP on port 16464 and send these bytes? Why? What does it work? This is very important to understand if is a false positive Thanks Da: Joel Esler (jesler) [mailto:jesler () cisco com] Inviato: giovedì 28 agosto 2014 17:14 A: Maurizio Di Pietro (Esterna) Cc: snort-sigs () lists sourceforge net Oggetto: Re: [Snort-sigs] no documentation about some rules On Aug 28, 2014, at 10:40 AM, Maurizio Di Pietro (Esterna) <m.dipietro () resi it> wrote: I have one instance of snort that raises some event. I didnt find the documentation about their online and in opensource.tar.gz. All event belong two categories, malware-cnc.rules and blacklist.rues For example 27247, 28539, 28805, 29262, 24034, 30833, 23493, 30825, 30842, 30840, 30836, 30827, 30835, 31136, 30260, etc Why there arent a documentation about their? How can I find information about this event? Im registered user and use rules 2962. Documentation exists in two forms. Either as a separate doc (which is what you are talking about), or the links within the rules themselves. For example, every malware-cnc rule is linked to the sample on Virustotal that generated the traffic that the rule was written off of. -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos
------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- no documentation about some rules Maurizio Di Pietro (Esterna) (Aug 28)
- Re: no documentation about some rules Joel Esler (jesler) (Aug 28)
- R: no documentation about some rules Maurizio Di Pietro (Esterna) (Aug 29)
- Re: no documentation about some rules Joel Esler (jesler) (Aug 29)
- R: no documentation about some rules Maurizio Di Pietro (Esterna) (Aug 29)
- Re: no documentation about some rules Jamie Riden (Aug 28)
- Re: no documentation about some rules Joel Esler (jesler) (Aug 28)
- Re: no documentation about some rules Jamie Riden (Aug 29)
- Re: no documentation about some rules Joel Esler (jesler) (Aug 28)
- Re: no documentation about some rules Joel Esler (jesler) (Aug 28)